Open campus, security nightmare

Maintaining security at universities is tricky, agreed a panel of those who ought to know. But they also agreed that while perfection is out of reach, reasonable protection is possible.

It sounds like a security oxymoron: Protect educational institutions that are meant to be, as Fitchburg State University information security officer (ISO) Sherry Horeanopoulos put it, "wide-open and unguarded."

But Horeanopoulos and several of her colleagues on a panel at the SANS Security Leadership Summit Wednesday in Boston, agreed that it is possible.

"We work in an environment that is designed to be wide open and unguarded," she said. "Professors and students need access to resources that span the globe. So how do you take a top-down approach in a bottom-up environment? Everything can't be completely protected, but we provide an open, flexible place to work in technology by working to keep things reasonably safe and not being dictators."

The panel discussion, titled "CISO 101: Lessons Learned from Higher Education," was moderated by Larry Wilson, CISO at UMass, and also included David Escalante, director of computer policy and security at Boston College; and David Sherry, CISO at Brown University.

Another major challenge, they said, is that a university campus is like a small city, where the security team has to deal with "everything in the city. We provide housing in residence halls, entertainment and sporting events, food, we're associated with hospitals so we're involved in health care, we make loans so we're defined as bank you can't win," said Escalante.

And then there are the multiple constituencies, Sherry said, which include, "faculty, staff, students, donors, boosters, athletic support groups, applicants, parents and alumni it's very wide."

Given that environment, the panelists said they have to set priorities and focus on a limited number of things.

Escalante said one of the things he does is firewall off the data center from the campus network.

But there was general agreement that the goal in dealing with those on campus students especially is to enable what they need. "We try never to deny them a service," Horeanopoulos said.

Sherry agreed. "The key goal is never to say no we don't want to turn them down, just enable them to do it securely," he said. "So I like to call it a persuasion program. We try to convince them to do the right thing."

And that, he said, takes personalizing the security message. "If we put something on at lunch about how to protect their home network, people come because it's about them," he said. "If you make them secure at home, they will be secure at work."

Escalante said the same is true in the dorms. "Don't tell them about something in the New York Times," he said. "Tell them about something bad that happened to a guy down the hall."

It is a constant battle, however, Horeanopoulos said. "You can't keep up with every threat. We have perimeter guards that let us know what's going on, but even that you can't sift through all day long. So you try to automate what you can."